University of Maryland computing systems and services are critical to our teaching, research, administration and service. Unfortunately, some individuals and organizations seek to gain unauthorized access to UMD's digital information. Cyberthreats range from individuals attempting financial fraud to organized criminal groups holding data for ransom or nation-state actors seeking access to cutting-edge research.
We all need to do our part to help secure UMD's digital assets. As we start the fall semester, please keep these three key reminders about cybersecurity in mind:
UMD accounts and services are only for UMD business
- Do not use your UMD email for personal activities, such as the contact for your bank accounts or storing your tax returns. Do not use UMD resources for consulting or side businesses.
- Likewise, all UMD business should be conducted on UMD systems and accounts and not via personal email addresses or personally owned computers. Some units still permit limited use of personal devices for UMD business; check with your local IT support for guidance. It is important to remember that if you use a personal device or account for UMD business and there is an investigative matter, you can be compelled by courts or the university to turn over your personal device, including all personal information stored on it or relevant information in your personal account.
Do not forward UMD emails to personal email accounts
- Your UMD login credentials and accounts are targets for cybercrime
- Protect your passphrase and Duo multi-factor authentication (MFA) credentials and never share them with anyone. DIT's security team has seen an increase in email phishing attacks that include links to websites that ask you for your credentials, and some even present a fake Duo page.
- Always verify the authenticity of any login page before entering your credentials, and never approve a Duo push notification you did not initiate. If you receive an unexpected Duo prompt, someone else may be trying to access your account. Duo also shows the login's location—if it does not match your physical location, deny the request and notify DIT immediately.
Most university communications could be required to be disclosed
- Much of the information at UMD, including email, is subject to the Maryland Public Information Act (MPIA). This means individuals and organizations can submit requests for and, unless exempt under a very limited set of MPIA exceptions, receive copies of your email, Instant Messaging (e.g., Gchat, Webex), and other digital records.
- Please give careful thought to the best means of communicating information. Also, please ensure that the contents of your digital records are always written with a high standard of professionalism and that reflect well on you and the university, should they need to be disclosed.
- Additionally, remember that many digital records should be routinely deleted when no longer needed. Speak with your supervisor or see UMD's document retention schedule for more information about deleting records.
Finally, if you suspect any UMD account or computer has been compromised or data leaked to an unauthorized party, please immediately contact UMD's Security Operations Center at soc@umd.edu. To prevent additional damage and allow for forensic examination, please contact SOC before contacting your local IT support team or attempting to correct the problem yourself. Visit the IT security webpage for more information about UMD IT policies, standards, guidelines and incident reporting.
Thank you for your efforts to help protect the digital assets entrusted to the university.
- Adapted from an email to all UMD faculty and staff sent September 9, 2025 and signed by Jeffrey K. Hollingsworth, VP and CIO --